diff --git a/modules/server/forgejo.nix b/modules/server/forgejo.nix
new file mode 100644
index 0000000..e18046e
--- /dev/null
+++ b/modules/server/forgejo.nix
@@ -0,0 +1,41 @@
+{...} @ inp: let
+  flk = inp.config.flake;
+in {
+  flake.modules.nixos.server = {
+    lib,
+    config,
+    ...
+  }: {
+    sops.secrets."cloudflare/git" = {};
+
+    services.cloudflared.tunnels = lib.mkIf config.services.cloudflared.enable {
+      "git" = {
+        credentialsFile = "/run/secrets/cloudflare/git";
+        default = "http_status:404";
+        ingress = {
+          "git.${flk.meta.web.domain.domain}" = {
+            service = "http://localhost:5675";
+          };
+        };
+      };
+    };
+
+    services.forgejo = {
+      enable = true;
+      database.type = "postgres";
+      lfs.enable = true;
+      settings = {
+        server = {
+          DOMAIN = "git.${flk.meta.web.domain.domain}";
+          ROOT_URL = "https://git.${flk.meta.web.domain.domain}/";
+          HTTP_PORT = 5675;
+        };
+        actions = {
+          ENABLED = true;
+          DEFAULT_ACTIONS_URL = "github";
+        };
+        service.DISABLE_REGISTRATION = true;
+      };
+    };
+  };
+}
diff --git a/secrets.yaml b/secrets.yaml
index 50e8a69..edc73a5 100644
--- a/secrets.yaml
+++ b/secrets.yaml
@@ -6,6 +6,7 @@ copyparty:
         ron: ENC[AES256_GCM,data:8sw3Sf158A==,iv:9EyFYAxoFMGYijQ93lDOjSoaP/RHMtphlhto14ofXq0=,tag:T2MvVxUXnlx+yZyH0znZsA==,type:str]
 cloudflare:
     copyparty: ENC[AES256_GCM,data:SK8qhyjIiOsKzZsnh8W8/BRJmbHoLA6rCGGUzKb9ucbTiiCUhfnaR7A/0SSKKecrMwTmuCos0WnEUe0ixGWJcHncEoLpMyAQMfmL81wbyfDhkxrEjc77aSRomAqM9X/jWg3ocp4oxKKUkEfnnKUqkv4vse+J/lBZjlOoTtwiPoJ1V/GL2JKru/f/LoERQqCEaAqMnQeXJyi/5pf4wPCKLbRQxZ1LCmxeyMMRU0FgOQ==,iv:HqAmQR1SMd4D3uf0eSCfKBCO61mM/Zdfiv/RBlaiJkc=,tag:7ESjgrqkG9RWDAmV/2wGdA==,type:str]
+    git: ENC[AES256_GCM,data:QxpLDjVsPiIxSKq6hWUOBS0wWxZ2ccLmSYQA64U3n+Y42Uuaf92pJHt3CQ2ZSaIXWbgpVotln/vBexRA1RH4ZpF5vwyYX1XUwCisv3qdkS/P4/kZIt8TtdvYV1pVwxZRqm58aA0L4ZuNk0q5a1tscrXtLVJ2+uvF9we6Oloz5uMA+XCBwzkqo6Ucbc/47gbUPTRSzMRpY1n8ma71NiensFn0lGtyWfB7TW26pLbSVg==,iv:mZmufTufxBuRkE0YNBwRNV4Shq1Uq2r+MzsNuzPkzQI=,tag:igtKa2VSLBjY9eKWONoKOg==,type:str]
 sops:
     age:
         - recipient: age1fdrtfvf3ywarc4sq7jjc5d6elas3fr73cfenkkyyj0ck6z9x2d0qlpn92h
@@ -35,7 +36,7 @@ sops:
             MFp0UW1HSW9MbmppcHlNM25CaFhqOWcKppF0dE4YNh+mN1tyZju4zxM6ZFBSKx9U
             cGYtUemtt4s9ko3hPt8ZM/ysKOeZgnYoeG7QQnwSoF3F+/gurvb0Bg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-02-04T21:04:09Z"
-    mac: ENC[AES256_GCM,data:vn6ihNZnWEmUY7IW59YDHZNHVClmmxmo5Pb0efIamYMhESIUB0Q0EUQJKS4uGi0V9e38ZQtrUO/U4NHmk6gOOIF9xoRr2OgIQH9qt3UmWhUo3Vi60cUT0zwR4nyuDbaihV29prFh9twrcz4sdj8V73k93x2ALlC65I1dyOpFlqQ=,iv:eUpfZgVt+1jfA5m412gcPBeydb8aj2eGyss7OvIPIjY=,tag:P01vYyz+WkNBgfuNje9BEA==,type:str]
+    lastmodified: "2026-02-06T19:57:02Z"
+    mac: ENC[AES256_GCM,data:SWd5spIxeazSCT6L28UpTzPbnOInunxUy1XahAnP8Z1PmWo1yib56cazi4EGjE4gT3c2kHDcyTTPxj8FEDGHVWfQ3TFtFGMFEBWetC0TUTx7iLcSBCYue3LKtcabIkhsbl01VG5DR/srGWNao0hqp6oMPhsm4dE4DnvKXdJMlWw=,iv:nS/FsHnQuowQLeW+oVnFoLFtY+ZpqfEDfrQugLdNu4g=,tag:S+ncbjxItjzp3ts96O0t3w==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0